Neon SignI have recently become convinced that the way home wireless network access (or WiFi) has been designed is fundamentally flawed. And the worst part of it is that I understand why the manufacturers of home networking equipment have done it this way!

I believe that there is a better way to set up a home wireless network that will allow you to keep your home systems safe while providing WiFi users with what they primarily want, the Internet.

There are three parts to this post:

  1. The fundamental flaws with the present WiFi design
  2. A better WiFi design
  3. Advanced configurations


WiFi is Broken

If you have done what most people have done when implementing a wireless router, your network design and implementation was probably something like this:

  1. Design Phase - “I think I want to be able to surf the Internet and watch TV at the same time. I’ll get a WiFi router and replace my regular router.”
  2. Hardware Selection Phase - “Which one is on sale?”
  3. Implementation Phase - “Let’s see…unplug old router…plug in new WiFi router…search for WiFi connection…Done!”

What you have implemented is something that looks similar to this:

Bad WiFiYou have essentially provided complete access to your home network to anyone with a wireless network card who is in the vicinity. You may as well run a patch cable out your front door and put up a big neon sign that says, “Free Network and Internet Access”! All I can say is that you had better hope that nobody nearby is running Slurpr.

It is terrifying when you realize that over 40% of the wireless networks deployed today are set up in this manner.

There are four primary areas of weakness that are present in this design. These areas are:

  1. WiFi Connection Configuration
  2. Firewall Configuration
  3. Open Internet Access
  4. Open Network Access

Let’s take a look at these weaknesses in more detail.

1. WiFi Connection Configuration

Most wireless firewalls are designed to be easy to configure, not secure. This is because hardware manufacturers cannot sell a product that the consumer cannot configure or use. Unfortunately, WiFi security is beyond the majority of users so this component is generally left out of the equation. It is not uncommon to find WiFi connections with:

  • Broadcasted SSID
  • Default SSID
  • SSID that identifies network
  • No or weak encryption
  • No MAC address authentication
  • No shared key or certificate authentication
  • Connection set to adhoc mode

2. Firewall Configuration

Just like the WiFi connection configuration, the firewall is generally configured with the least amount of security so that it is easy to deploy. Many systems are configured with:

  • Default admin password
  • DHCP running
  • Large DHCP zone
  • Default subnet
  • No SSL encryption
  • Open admin console on external port
  • No logging

All of these pose security risks.

3. Open Internet Access

Anyone who hops on your wireless network connection can now have complete access to the Internet. While this may not seem like an issue in the beginning, there are a few issues to take into consideration:

  1. If you have a limited amount of upload and download volume from your Internet provider, you could find extra bandwidth charges on your monthly Internet bill is someone is downloading massive amounts of data (e.g. file sharing, bittorrent, p2p, etc.)
  2. Most Internet providers have as part of their contract that you will not share your Internet connection with anyone else. By setting up an open wireless network, you may find yourself in breach of this contract and you could lose your Internet access all together.
  3. If someone is using your Internet access to perform illegal activities (e.g. accessing child pornography, cracking, etc.) then guess who the police are going to be coming after? The criminal? Try the name of the person to whom the external IP address is registered. While you may be found innocent in the end, sometimes all it takes is the accusation to ruin a person’s life.

4. Open Network Access

Probably the most disturbing aspect of this WiFi design is that the WiFi component completely bypasses the one thing that your firewall is supposed to do: Keep people out of your network. The wireless connection puts anyone who uses it right on the same network as all of your “secure” systems. And, if you put as much care into securing your home computers as you do in securing your WiFi network (read “none”) then you could very easily find that all of your personal data and information is up for grabs.

A Better WiFi Design

I have spent some time thinking about how to better secure your home WiFi network and I have come up with a solution that will help to lock things down significantly by attacking the main vulnerabilities that we talked about earlier. This solution:

  1. Locks down the WiFi connection
  2. Secures the wireless firewall
  3. Restricts Internet access to pre-configured users
  4. Segments home computers and servers from wireless users

Good WiFi

The other nice thing is that most of this can be done at no extra cost because it uses the equipment that you probably already have.

And, the solution is flexible enough that if you do have a need for more that just providing Internet access to WiFi users, you can provide it with a minimal amount of extra cost.

1. Lock Down WiFi Connection

This is probably the most important part of the entire process. With this properly configured, you can eliminate the biggest risks to your network. Follow these guidelines:

  1. Use WPA2 encryption for all communications
  2. Make sure that you use either certificates or shared keys for the encryption
  3. Don’t broadcast your SSID. You should only do this for testing
  4. Change your SSID to something obscure like 89cyr65g6vwe or n08345cvb4wq. Definitely do not use the default SSID that came from the company and do not use something like your phone number, last name, or address
  5. Use MAC address authentication to ensure that only specific systems can access the WiFi link
  6. Use infrastructure mode, not adhoc, for connectivity

Once you have done this, does this mean that nobody can use your WiFi connection without you knowing? No. Someone who did his work and got the right information could potentially still get access to your WiFi connection but they would have to know:

  • Your shared WPA2 key
  • Your SSID
  • Your MAC address

This person would also have to know how to change their MAC address on their wireless network card. While this is not impossible, it is an awful lot of work to just get access to someone’s network.

It is also very important to use infrastructure mode for the connection. This needs to be set on the firewall and the wireless network cards. This way, people can not use your laptop network card as a wireless bridge to get to your network.

2. Secure the Wireless Firewall

The next thing that you need to do is secure the wireless firewall. This is important because if you leave your firewall is compromised, then all of the other security measures can very easily be undone without you even knowing it.

You need to make sure that you take these steps:

  1. Change the administrator password
  2. Use SSL encryption for all web communication between the firewall and your systems
  3. Close any external management interfaces
  4. Disable DHCP or at the very least set it to a very small scope (one or two IP addresses) and set DHCP reservations
  5. Change the internal subnet from the factory default
  6. Create a very small internal subnet. Use a 28 (2555.255.255.240) or 29 (2555.255.255.248) bit subnet mask to limit your network to 14 or 6 hosts respectively
  7. Do not allow pings on the external interface
  8. Log all activity, preferably to a secure external logging source but internal logging can be just as effective
  9. Keep a backup of the configuration in case something happens to the firewall and the configuration gets lost

The down side of all this is that you will need to configure your WiFi enabled devices with all the network and IP information manually. But, it is a small price to pay for security.

3. Restricted Internet Access

With this configuration in place, you have not essentially eliminates access to the Internet for anyone who does not have authorization. In order to access the Internet, a cracker would have to know the following for your network:

  • Your SSID
  • Your WPA2 shared key
  • Your MAC address
  • Your subnet and subnet mask
  • An available static IP address
  • Your ISP to get their DNS settings

4. Segmented Home Network

With the home network behind a firewall, it is protected not only from users on the Internet but also from people who may have gathered enough information to make a WiFi connection. This is key to protecting home network systems and ensuring that they are not compromised.

Fortunately, most people are upgrading their present wired router to a wireless one so it is a small task to integrate the second router into their networking environment.

One drawback of this basic implementation is that if you want to access shared resources on the network, this configuration will prevent you from doing that. But, you can overcome those limitation as described in the advanced design section.

Advanced Configurations

This is just the tip of the iceberg. You can make several other modifications to the design that would allow you greater security or greater flexibility. A couple ideas include:

  • Providing VPN access to resources behind the internal firewall using SSH or SSL VPN solutions
  • Adding a web proxy with username and password authentication for access to the Internet
  • Implement IPSec for all network communication

Conclusion

While most out of the box WiFi configurations leave much to be desired in the way of network security, a little bit of effort and planning can allow you to build a much more secure infrastructure without adding much (if anything) to the cost of the network.

Similar Posts:

If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?

Trackback link - http://www.dailycupoftech.com/2007/06/08/a-more-secure-home-wifi-design/trackback/
Tim Fehlman